← Advisories

VLC media player 1.0.5 Goldeneye (bookmarks) Remote Buffer Overflow PoC

Critical

Advisory ID

ZSL-2010-4931

Release Date

05 March 2010

Vendor

VideoLAN team - http://www.videolan.org

Affected Version

1.0.5 Goldeneye

CVE

CVE-2011-1087

Tested On

Microsoft Windows XP Professional SP3 (English)

Summary

VLC media player is a highly portable multimedia player and multimedia framework capable of reading most audio and video formats (MPEG-2, MPEG-4, H.264, DivX, MPEG-1, mp3, ogg, aac ...) as well as DVDs, Audio CDs VCDs, and various streaming protocols.

Description

VLC media player is vulnerable to a buffer overflow attack when processing .mp3 file and its metadata. It fails to perform boundry checks when creating a bookmark from the malicious media file playing, resulting in a crash, overwriting ECX register.

While the evil .mp3 is playing, you go Playback > Bookmarks > Manage bookmarks > Create.

(e48.10fc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=039fe008 ebx=00001200 ecx=41414141 edx=03b7ab88 esi=039fe000 edi=004d0000
eip=7c911895 esp=04befcd8 ebp=04befcf0 iopl=0         nv up ei ng nz ac po cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010293
ntdll!RtlInitializeCriticalSection+0x298:
7c911895 8901            mov     dword ptr [ecx],eax  ds:0023:41414141=????????

Proof of Concept

vlcplayer_bof.txtTXT

aimp2_evil.mp3MP3

Disclosure Timeline

05.03.2010Vendor has some knowledge of the issue.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]http://secunia.com/advisories/38853

[2]http://securityreason.com/exploitalert/7891

[3]http://www.securityfocus.com/bid/38569

[4]http://www.packetstormsecurity.org/filedesc/vlcmediaplayer-overflow.txt.html